GDPR “Unknown Unknowns”

The art of privacy, and why what you don’t know (about the GDPR) WILL kill you.

By Eh’den Biber

Introduction

A few years ago, I had a colleague that was about to depart on a flight to a lovely vacation with his wife. As the airplane was waiting for the signal to lift off, my colleague wife started to scream. I mean REALLY scream. As my colleague wife had taken many flight before, my colleague had no idea what the fuck is going on (forgive my French). Long story short – airplane went back to the terminal, my colleague and his wife were being taken off the airplane, severe sedatives were used, and instead of a lovely vacation my colleague spent the next few days in a mental institute seeing his loved one going via hell. This whole thing followed a long recovery process, and almost broke him to pieces as well.

That is how “unknown unknown” feels like when it explodes in your face. You can’t quantify it, you experience it, but you don’t understand it, and it devour you to pieces, into a hell you didn’t even knew exists. Panic attack are so scary because you don’t what you’re hitting. Imagine Usain Bolt running his phenomenon 100-meter dash and just as he is about to cross the finish line he smashes into an invisible wall. Jordan Peterson explains that encountering the unknown is at the root of all PTSD, and can break people, even lead them to kill themselves.

And this is, my friends, is how GDPR is going to feel like to most organisations.

GDPR

The GDPR became a buzz word by consultancy firms (e.g. big 4) who loved the way it allows them to sell more services. It was a heaven to vendors, who suddenly re-labelled their products with annoying ads such as “Our refrigerator is GDPR compliant and can handle all your deep data needs” (meaning – they have a freezer they want to sell you). It’s been abused by anyone, most likely by me as well. Right now, the information industry is in the midst of a turret attack with the words “GDPR” and “privacy” substituting the foul language used by some people who have the syndrome.

“But isn’t raising awareness is good?” you might ask yourself. After all, organisations must prepare for the GDPR who will become a law in 2018.

Well, yes and now. The biggest problem is that what most of the current activities I’ve seen so far are doing is creating a risk most organisations have no clue about. An Everest of “unknown unknowns” that is going to explode sooner or later.

“What is that Everest????? Tells us!!!” you demand.

“Are you sure?” I asked cautiously

“YES!!!! Please!”

“OK, the unknown unknown that I talked about is … privacy.”

(silence)

“What the hell!!!! really? Privacy? That’s what you been scaring us with? We get privacy. We have a DPO. We mitigated all the risks we identified (thanks to our beloved consultancy firm). We bought technology. We even have a privacy awareness program. OK, it’s a computer based training, but still, it’s the top of the art one! What the heck are you talking about?”

I stand firm by what I said. let me use capital letters, with a bold, to shut it out to you:

YOUR ORGANISATION HAVE NO IDEA WHAT PRIVACY IS.

If you think…

If you think that having a designated person with the title DPO which might understand privacy you’re ready for the GDPR – you’re not. If you think that because you have a work order for a privacy program you’re ready for the GDPR – you’re not. If you think that because you used automatic discovery tools to identify where your data assets are located you’re ready for the GDPR – YOU’RE NOT. As Moliere once said – a man should be allowed to speak in public for as long as he can make love. Boy, I can make love with this GDPR for hours. Let me give you one example…

CEO Classroom

As you surely know, one of the GDPR pillars is “privacy by design”. It’s this notion that when you design an information system you must take into the design process all the aspects of the GDPR. So far, so good, right? WRONG.

Let’s imagine a classroom full of kids, sorry, CEOs. Fade into classroom:

“Hey there, who can tell me who is responsible for making sure your organisation will follow the privacy by design requirements?”

One CEO was about to speak, but the person next to him noticed it, and smashed his head into the table (obviously, much more seasoned executive). He now jumps up and down on his chair: “I know!!! I know!!! I know!!! me, me, me!!!!”

(me, playing the role of the teacher): “OK dear, what would you like to say”

(the CEO, with a delight smile on his face): “It’s the DPO”

Now you understand why people don’t want to work in education, right?

“No, it is not the DPO. It’s everyone. Everyone in the organisation needs to be thinking of privacy. Everyone are responsible.”

“I was about to say everyone, but he smashed my head” (the other CEO is lifting his bleeding head from the table).

“and how were you going to do it?” (forced back into my fake tutoring position)

“we have a privacy awareness program”.

“Who exactly is running it?” (a glimpse of hope raises within me)

“a person in our privacy team is leading the effort”.

“And how did you hire him?” (high expectations raises)

“Our HR and the DPO did it. Can I get my bonus now?”

Oh, no you don’t. CEO classroom fades away.

Forgive my French

You see, privacy, like the true nature of information security, like the bigger reality, is unknown to people. It’s what the French language is for most of the people who are British. If you’re British and you learned it in School, you might be tempted to think you know it. But ask any French person, he will tell you that British people don’t get French. Michel Thomas, the master of languages explained in his French training, that in English, when you don’t understand something you say “I didn’t understand it, can you repeat” and the person will repeat the sentence he just said. In French, if you will say the same thing the French person will assume you didn’t understood him and he will re-construct a totally different sentence.

To most people in most organisations privacy is an unknown foreign language, teaching them a few catch phrases might going to help if they plan to go to a bar to get laid, but it’s not going to help them to write a novel. To develop information following the privacy by design principles is like writing a novel. You know what French people call a novel written in French by a typical British person? A waste of paper.

Awareness Rant (SANS)

Before privacy we been trying to make people act as if information security is part of their “DNA”, and we failed. Not only we failed, we become expert in our failure. Take for example the SANS Annual European Awareness Summit – its agenda is mostly useless. This year I decided to try and approach them and suggest to do a lighting talk. Hey, after all, I’ve been writing about the subject of awareness for many years, I’ve done more research into multiple approaches that most people in the field never even heard of, and I’ve already did more than a decade ago things people do today. I got … no reply.

So yes, the awareness industry been promising to make people change their behaviours and we see no evidence it works so far. How come they can do it? Perhaps because the dedicated team of people who supposed to understand what make people do things, and how you can influence them (aka “HR”) are in most organisation a human bureaucracy office, because that’s the board understanding of human nature.

You expect the human resources departments who had no clue on how lead individuals to change their information security awareness/culture to succeed in privacy awareness/culture change. Who are you fooling?

DPO

In the last few months I’ve been approached endlessly by multiple organisations to who wanted someone to lead their information security and privacy activities. HR decided I can o both. How? HR have no clue what privacy is, and I know it because they have no idea what information security is. I had to sit down in way too many telephone interviews arranged by HR, wishing I had more hair so I could tear it because the person on the line didn’t match at all the position I was wishing to fill. HR thought they fit. If privacy is like French, how can you tell that your DPO is speaking French or just talking with a fake French accent? Your organisation can’t tell, because no one in it speaks French. If you had one, he would already have been the DPO!

Same for the people whom you plan to hire to do the awareness training. Here the situation is even more complicated – you need to hire someone who speaks the French, sorry, Privacy language, AND you need to find a person who can explain this mysterious unknown thing to the people, to introduce it to them. Do you know who did such things throughout the years? Creative people. Artists.

Creativity

In a recent talk about creativity Jordan Peterson explained that our perception of reality is very different from how it was before the impressionists’ artists came along. If you don’t believe me, take a visit to an art museum near you and go to the period before impressionism. It looks completely different, and it represented the way people perceived things.

Here is Jordan Peterson: “Art is exploration, it trains people to see. Most of you regard impressionist art as both self-evidently beautiful and also as relatively traditional, because you all now see as impressionists see… the impressionists’ ascetics saturated everything. Saturated advertisements, saturated movies, it saturated everything. You now see like impressionists. They taught you to see. But back when the impressionists first showed up there were riots when their art was hung because the idea of perceiving that was so radical that it caused people to have emotional fits. Art teaches people to see and I mean that literally.”

You see, in order for you to teach others to “see” privacy you need privacy artists. Most likely, if your organisation is built upon the common corporate governance framework the chances of it being able to nourish artists, which are extremely creative people is very low. Artists don’t like structure, they always challenge it, because they see the world differently than others. It has biological roots, it is part of their personality which makes them as such. Organisations need such people, but have no idea what to do with them.

Usually it goes something like that:

“Hi, you are our new creative person? great to meet you. I heard you are passionate about expanding the horizon of our organisation on privacy, right? great” (the “great” was said in a very passive aggressive tone).

“So here is your cube, where you are required to be creative. I need you to give ma the schedule of how you plan to do it by next week. Oh, and don’t break anything. Oh, and don’t question anything. Oh, and don’t disturb anyone. Where are you going? Please stay!!!”

You might think I’m kidding, but this is a real problem most organisations experience when it comes to recruitment of creative people. Jordan Peterson explained in the talk I mentioned that creative people are the entrepreneurial type, and systems need them, but systems do not nurture creativity, because systems are the antithesis of creativity.

Solution time

The GDPR is about empowering the data subjects. As such, if you want to be sure that you will not collapse under an Everest of GDPR “unknown unknowns” you need to seek for an external provider who loves privacy, who lives privacy, who thinks privacy, who feels privacy. who dreams privacy, who speaks privacy, who is passionate about privacy, who believes in privacy, who is a champion of privacy, who understand how to make people be more aware to their privacy rights. Privacy artists.

Find such provider, speak with them, ask for their advice on how to introduce to the people in your organisation this unknown language. If you don’t, your organisation will end up one day like my work colleague, but in your case, it will be experiencing a total privacy failure, having no clue what hits it, and going via a hell it never imagined possible.